
Page 3 . 14
2 A list of current validated P2PE solution providers can be viewed at https://www.pcisecuritystandards.org/assessors_and_so-
lutions/point_to_point_encryption_solutions?agree=true.
In October 2019, PCI published their standard for 3D Secure (3DS), which is a secure consumer
authentication (SCA) solution for Ecommerce transactions. Similar to EMV at the point-of-sale (POS),
the goal of 3DS is to authenticate the consumer making the online purchase. However, like EMV, 3DS
does not secure Ecommerce transactions and data. This is where encryption and tokenization
solutions come into play, which secure data upon intake in web-based forms and protect that data at
rest or in storage in a system or network.
Any higher education organization with complex financial data challenges needs the ability to
leverage all security technologies with a single and simplified approach to data protection.
Privacy data history
Privacy data efforts have significantly increased over the past few years, with the addition of several
new laws and regulations.
One of the earliest privacy regulations, the U.S. Privacy Act, was enacted in 1974 to govern the
collection, maintenance, use, and dissemination of information about individuals. The Health
Insurance Portability and Accountability Act (HIPAA) was put in place in 1996 to protect health
information. In 1999 came the Gramm-Leach-Biley Act (GLBA) to protect financial and non-public
personal information (NPI). 2002 brought two new Acts: the Sarbanes-Oxley Act (SOX) to protect the
public from fraudulent practices by corporations, and the Federal Information Security Management
Acts (FISMA) which ordered U.S. agencies to protect data. The International Organization for
Standardization (ISO) generated ISO 27001 in 2013 to act as a framework for organizations’
information security management systems.
More recent regulations include the General Data Protection Regulation (GDPR), which was enacted
by the European Union (EU) in 2018 and focuses on protecting EU citizens’ personal data globally.
Other countries have been following the EU’s lead with GDPR, including the U.S. with state-based
laws including the California Consumer Privacy Act (CCPA), which restricts the collection and use of
personal data, effective in January 2020. Other states with privacy laws and protections include New
York, Hawaii, Maryland, Massachusetts and New Mexico.
While each law, act or regulation varies on what data is considered “private,” the core concept is to
protect data that could potentially harm an individual or data which consumers may not want
disclosed. Like the need in payment security to have a single approach to protect CHD and Account
Data across acceptance channels, it is also increasingly critical that colleges and universities have the
ability to address the different privacy requirements with a single security approach.